Update 2/5/2019: Based on customer feedback, we are extending Delta update publication for Windows 10 versions 1607, 1703, 1709, and 1803. We will continue to provide Delta updates via the Microsoft Update Catalog through April 9th, 2019, which will be the last delta update available.

With Windows 10, quality updates are cumulative. Installing the most recent update ensures that you receive any previous updates you may have missed. We used a cumulative update model to reduce ecosystem fragmentation, and to make it easier for IT admins and end users to stay up to date and secure. However, cumulative updates can prove challenging when it comes to the size of the update and the impact that size can have on your organization’s valuable network bandwidth.

When a new Windows 10 feature update is released, the first cumulative update is generally between 100-200 MB in size. Across all versions of Windows 10, cumulative updates grow as additional components and features get serviced, pushing the size to somewhere between 1-1.2 GB. Generally, this happens within the first 6-8 months after the release of a feature update.

To help you reduce the burden on your network bandwidth, yet still receive the same equivalent update, Microsoft designed three different update types:

Full updates have all the necessary components and files that have changed since the last feature update. We refer to this as the latest cumulative update, or LCU. It can quickly grow to a little over 1 GB in size, but typically stays that size for the lifetime of that supported version of Windows 10.

Express updates generate differential downloads for every component in the full update based on several historical bases. For example, the latest May LCU contains tcpip.sys. We will generate a differential for all tcpip.sys file changes from April to May, March to May, and from the original feature release to May. A device leveraging express updates will use network protocol to determine optimal differentials, then download only what is needed, which is typically around 150-200 MB in size each month. Ultimately, the more up to date a device is, the smaller the size of the differential download. Devices connected directly to Windows Server Update Services (WSUS), System Center Configuration Manager, or a third-party update manager that supports express updates will receive these smaller payloads.

Deltaupdates include only the components that changed in the most recent quality update. Delta updates will only install if a device already has the previous month’s update installed. For example, assume in May that we changed tcpip.sys and ntfs.sys, but did not change notepad.exe. A device that downloads the delta update will get the latest version of tcpip.sys and ntfs.sys, but not notepad.exe. Delta updates include the full component (not just the individual files) that changed. As a result, they are larger than express updates, often around 300-500 MB in size.

Regardless of which type of update is installed on a device, that update is fully cumulative and installing the latest update will ensure that the device has all the necessary quality and security improvements.

This raises an important question: why make delta updates available if express updates are more optimized and don’t require the previous month’s update already be installed? Delta updates were originally created because the express update protocol was only available to devices connecting directly to Windows Update or Windows Server Update Services. In January 2017, the express protocol was extended to all 3rd party update management systems; however, we continued to ship delta updates to give companies and third-party update management tools time to implement support for express updates.

Currently delta updates are available for the following versions of Windows 10:

Windows 10, version 1607

Windows 10, version 1703

Windows 10, version 1709

Windows 10, version 1803

Now that express update support for third-party update managers has been available for over a year, we plan to stop shipping delta updates. Beginning February 12, 2019 Microsoft will end its practice of creating delta updates for all versions of Windows 10. Express updates are much smaller in size, and simplifying the cumulative options available will reduce complexity for IT administrators.

Hey. Maybe you also will fix an issue with Windows 10 not seeing a few latest CU updates on WSUS after a feature update. This has been an issue with 1703 and newer versions (maybe even earlier). I now have a script wiping SoftwareDistribution on every startup, because i can't find any other way to make it pull the latest CU from WSUS otherwise (although WSUS shows that they are needed). This is one of the most annoying sides of "windows as a service"..

P.S. this site is so bullsh. It constantly eats my comments (yeah, i had this page opened for a while, it's not a reason to fail to authenticate when posting a comment), it is HORRIBLE on mobile.

Thanks. I think it is not isolated to WSUS only though. I had a same issue after my parents laptop has been updated to 1803. It couldn't find latest CU, although it found Flash player updates. Using Windows Update there.

The definition you gave for "Express updates" contradicts the WSUS definition of "express updates". In WSUS, not only an express update is not smaller, it is significantly larger; but, allegedly, it installs faster.

Of course, it is still possible that these two are the same: The update is larger for the sever, but clients download less. If that's the case, I don't use them; size matters much more on the Internet connection, not on the local network connection.

That is correct - if you enable express on WSUS, the update you download to the server is much larger (typically over 4GB in size). Then each client that connects to WSUS gets the much smaller download size. So it works well in scenarios where enterprises have branch offices with slower download links while their central location has a much larger pipe.

The file is larger on WSUS because it contains all the baselines that any client could ask for, as well as all SKU's and architectures. While the clients only download the SKU, architecture, and specific component differentials that they need.

Oleg,For your parents machine, which I'm assuming is connected directly to Windows Update, when it downloads a feature update it also downloads and installs the latest cumulative update (LCU) at the same time. So when they upgraded to 1803, then were already fully up to date on LCU's.

Example:

1803 released in April

April patch tuesday, first 1803 LCU released (I'll call this 1804B)

May patch tuesday, another 1803 LCU released (I'll call this 1805B)

If your parents machine upgraded on May 22nd (one week after patch tuesday) they would download and install both the feature update and the 1805B LCU. They would only see a single reboot, and their machine would be fully up to date.

Of course, I actually am working somewhere with a branch office but that office does not use an upstream WSUS over WAN; it is cheaper to connect to the Internet than to connect to the main office. Our orders are to keep the redundant traffic off that WAN link. So, the branch office admin has a separate WSUS deployment.

Oleg,I don't think deleting the SoftwareDistribution folder should have had an impact. Any chance you also enabled a language pack or feature on demand (FoD) (.NET 3.5, many others)? Enabling language packs and features on demand triggers a new download of the quality update to make sure you have the latest language strings and any updates for the components in the FoD.

One way to see if you have the current LCU is to look at the windows version and then compare to the release information page. If you get into this state again it would be interesting to see what the winver is before and after you delete the SoftwareDistribution folder.

I support a large globally distributed SCCM environment supporting multiple versions of Windows 10, both 32 and 64 bit and Server 2016. Having each Express update be > 4 GB (7.96 GB for x64 KB4338814 this month) quickly bloats the size of the Software Update Packages and is challenging to distribute globally in a timely matter. This impacts QA and PreProd testing time frames, especially for sites that are behind a slower WAN link.

Additionally, these updates increases the install time of the updates themselves effecting the user experience.

Pappy,Yes, the wsusscn2.cab file documents updates and can be used to show which KB#'s are missing on a machine. Regardless of whether you use the Full LCU or an express update, the actual KB you install is the same KB# and your device will have the same versions of all updated files on it.

I hope will get some answers to my questions. I have tested Express Update and my opinion is better to leverage Full Update or LCU update types to patch our End User Devices until really MS bring improvements.

Reasons:

1. We deploy Monthly patches to End User Devices through Microsoft SCCM CB integrated with WSUS. We have quite number of Distribution Points connected at slow network sites especially PULL DP concept. During our testing scenario; we realized the Express Update occupies the Disk Space on DPs more than LCU update types. We are worried about the replicating 7GB to 8GB package to the Distribution Points hosted at low network bandwidth locations. I am quite disappointed; When MS releases so many feature across different product groups and at the same time its impacting the other products. We deployed PULL DP with the concept of Branch Office sites and now we will not be able to utilize Express Updates because of content size limitations.

Questions: Lets take a scenario; Now we are in the month of July 2018. For now my Express update package has cumulative updates from January to June 2018 and size of approx. 7GB to 8GB. Lets assume we will move to December 2018 and we will have Express Update for the last one year including LCU and the content size approx.. ??.. Can I cleanup the content library or content directory of Express Update (n-2) months which means till October 2018 to get back some disk space free. If I do so; how does it impact the Client Devices to scan and installs the Windows Updates particularly in the space of Express Update.

2. Bad End User Experience : Express Updates takes quite a lot to download and installs the Updates. One more Bad User Experience; SCCM Client Agent downloads and keep the binaries @ C:\windows\ccm\temp and estimated disk space of 100 - 300 MB. After completion of deployment; these files are not cleaned up and cause the Disk space utilization on End User Devices. I am not sure; does it by design with Intention? Could you please advise me do you have any information and When MS expected to announce the improvements any ETA?

Mike, Can you clarify/confirm something you said above? Which is that express updates only contain three specific revisions of a file based on the baselines of N-1, N-2, and RTM. I've always assumed that it contained 'the latest' and that the client did a binary compare to download only the byte ranges it needed. The assumption being that this was theoretically infinite in terms of permutations versus what sounds like only one of three possibilities. Thanks, Bryan

Hello Bryan,It sounds like you are asking what is stored on the windows update service and available for clients to download. Generating differentials takes time and space on the service, so we generate the ones that will be most likely to be used by the highest number of users. We did some data analysis and identified that over 90% of users are within N-5 of being current (with the majority being at N-1). So we generate differential baselines for N-1, 2, 3, 4 and 5. And we also generate a differential for RTM. When a device goes to download an update it chats with the service to let it know what version of a file it has, and then the service determines which differential would be the best fit.Technically we could generate differentials for every possible baseline permutation, but that would take more processing time and more storage space. And as you see from other people on the thread, it also impacts the disk size and download of people running WSUS who want to enable express locally (since the same files we store for express on Windows Update are also sent to WSUS). So we try to make the best tradeoff across both experiences.

I agree, in your scenario using the full LCU may be a better fit. If WAN bandwidth is the most important, and you have a lot of machines in each branch office, then the full LCU may be the best way to optimize your bandwidth. On the other hand, if you have a branch with only a couple machines it may be best to enable Express on a WSUS at your headquarters and then have the machines at the branch download express updates from it. (3 machines x 150mb is smaller than downloading a full LCU to that small branch, and of course you wouldn't need to maintain a WSUS server there)

Yes, you should be able to clean up the express content library (assuming your devices are only on win10 where updates are cumulative). If you still have some win7 or win8.1 devices you may not want to clean out their older updates since they aren't fully cumulative from RTM. As long as you keep the latest cumulative express update, cleaning up the older ones shouldn't impact download bandwidth at all.

Unfortunately I'm not an expert on the SCCM client. I'll reach out to some of my colleagues to get an answer on the local disk space. The Windows Update agent keeps updates around on the disk until they've been superseded for 30 days. Which generally means you have N-2 worth of updates on the disk and then they automatically get purged. I'll ask the SCCM folks if they have a similar design.

Hello Rajkumar,I talked with someone on the SCCM team and they said that the SCCM agent should be cleaning up those files, assuming you are using the latest version (1802). Do you know what version you are using?

CUs aren't generally the main issue for us at least. It's the Builds...I'm honestly not sure how we can go from 1607 to the next or latest build in our environment.

We have clients in remote locations who are on a pair of bonded T1s.Doing these build updates and just crossing your fingers nothing goes awry is nerve wracking to say the least.

There needs to be a workstation LTSB option that still has the ability to access the Microsoft store.We are on a 4 year lease schedule and could totally roll new builds every PC cycle, but deploying remotely is an unmitigated nightmare that takes us away from legitimate projects.

Also on a side note, could you please tell me why my end-users need xbox, pandora, candy crush, etc...? We can kill those applications via MDT, but rolling the updates they get reinstalled.

I'd like to hear some suggestions on making these build updates as easy as possible. And for the love of god don't suggest SCCM, we don't have someone dedicated to managing that monster.

+1 on builds nightmare. It is not so bad here yet. But our users are getting increasingly mobile and our WSUS is only available inside our LAN. Users connect via VPN from homes with weak links and builds are just killing these connections. So far only a few issues, but we don't have many Windows 10 yet. Solutions are either making WSUS public (which might not help with weak connections anyway) or switching away from WSUS. None of them are good. But i don't see how MS can improve here, unless they find a way to vastly reduce size of feature updates. We are not on LTSB and updating every half a year and updates are still huge. But i don't want to do such updates more often to reduce the size either. It takes a few months to update 30 PCs to a new build already.

+1 on additional fluff. I guess Pro version is not Pro enough to not have home users stuff on it. You need to use for Workstations version to not get xbox, etc.

Just now i had one PC updated to 1803 after approving KB3012973 (1803 update for consumer versions en-us, released in July, newer 1803 update version, but it was the same with the May one). After installing it winver showed 17134.112. It has found a few more updates on WSUS after that (Flash player and some other regular update) and installed. Check for updates didn't return anything else. But WSUS was showing it still needs KB4338819 (July CU update). I have wiped SoftDist and did Check for updates again. Then it has pulled it, installed. Version changed to 17134.165. And then WSUS showed it doesn't require any updates.

Btw, another annoyance is that i have to press Check for updates dozens of times and also run wuauclt /reportnow or /detectnow a few times for machine to actually update its status on WSUS. I would like for it to update its status right away after clicking on Check for updates..

The part of Windows that I work in is responsible for quality updates. Unfortunately, that means I'm not an expert on feature updates (new builds). I know the feature update team has done work in windows 1709 and 1803 to shrink the size of feature updates using the same express technology we use in quality updates. If you haven't already seen it already, this looks like a pretty good resource for different deployment techniques for feature updateshttps://docs.microsoft.com/en-us/windows/deployment/

Sorry I can't be more helpful on feature update questions. If you have a service contract your account manager should also be able to help you work through a detailed plan that is specific to your environment and challenges on getting devices upgraded.

Thanks for confirming the version and KB#'s. Did you install any language packs or features on demand after installing the upgrade? (like .net 3.5.1, or another language)? We're trying to reproduce this issue on our side.

Another bit. I have just installed another fresh install of 1803, connected it to WSUS. When i check for updates it pulls 2018-06 CU update. Shouldn't it pull 2018-07 instead (it is already approved for quite some time)?

Hello Everyone,As I mentioned in the comments above, we have been working on some ideas to improve quality updates and the amount of bandwidth they require - especially in enterprise and branch office scenarios. A colleague of mine has just posted a blog that explains the changes and it will address a lot of concerns people voiced in the comments here. The new technology will ship with the next versions of Windows.

Getting back to WSUS with Windows 10. Another issue i have is that Windows 10 is very slow on pulling security updates. It can take weeks before it actually tries to install them. Although if you go to Updates windows they are there and it seems it waits for a window when PC is not used, but that may never occur. I often have Windows 10 PCs not updated for 2-3 weeks. Windows 7 was usually updated in a few days. I think MS is trying to hard not to annoy users and creates a security problem here. And it is not isolated to WSUS setup, i see similar things with Windows Update. And with WSUS it sometimes also checks for updates, WSUS shows that they are needed, but on PC in Updates windows it shows that nothing is needed and you have to actually press Check updates and only then it starts downloading and installing them. I'm puzzled why automatic update which happens in our network every 4-6 hours can't pull the updates.. From a security standpoint Windows 10 seems less secure with such delays in installing updates.

Yes, LTSB 2016 does support Express updates. If they are using server 2016 though, there was an issue causing express updates not to be available since November 2017. They were just re-enabled in November 2018. More details at this link

With Windows 10, quality updates are cumulative. Installing the most recent update ensures that you receive any previous updates you may have missed. We used a cumulative update model to reduce ecosystem fragmentation, and to make it easier for IT admins and end users to stay up to date and secure. However, cumulative updates can prove challenging when it comes to the size of the update and the impact that size can have on your organization’s valuable network bandwidth.

When a new Windows 10 feature update is released, the first cumulative update is generally between 100-200 MB in size. Across all versions of Windows 10, cumulative updates grow as additional components and features get serviced, pushing the size to somewhere between 1-1.2 GB. Generally, this happens within the first 6-8 months after the release of a feature update.

To help you reduce the burden on your network bandwidth, yet still receive the same equivalent update, Microsoft designed three different update types:

Full updates have all the necessary components and files that have changed since the last feature update. We refer to this as the latest cumulative update, or LCU. It can quickly grow to a little over 1 GB in size, but typically stays that size for the lifetime of that supported version of Windows 10.

Express updates generate differential downloads for every component in the full update based on several historical bases. For example, the latest May LCU contains tcpip.sys. We will generate a differential for all tcpip.sys file changes from April to May, March to May, and from the original feature release to May. A device leveraging express updates will use network protocol to determine optimal differentials, then download only what is needed, which is typically around 150-200 MB in size each month. Ultimately, the more up to date a device is, the smaller the size of the differential download. Devices connected directly to Windows Server Update Services (WSUS), System Center Configuration Manager, or a third-party update manager that supports express updates will receive these smaller payloads.

Deltaupdates include only the components that changed in the most recent quality update. Delta updates will only install if a device already has the previous month’s update installed. For example, assume in May that we changed tcpip.sys and ntfs.sys, but did not change notepad.exe. A device that downloads the delta update will get the latest version of tcpip.sys and ntfs.sys, but not notepad.exe. Delta updates include the full component (not just the individual files) that changed. As a result, they are larger than express updates, often around 300-500 MB in size.

Regardless of which type of update is installed on a device, that update is fully cumulative and installing the latest update will ensure that the device has all the necessary quality and security improvements.

This raises an important question: why make delta updates available if express updates are more optimized and don’t require the previous month’s update already be installed? Delta updates were originally created because the express update protocol was only available to devices connecting directly to Windows Update or Windows Server Update Services. In January 2017, the express protocol was extended to all 3rd party update management systems; however, we continued to ship delta updates to give companies and third-party update management tools time to implement support for express updates.

Currently delta updates are available for the following versions of Windows 10:

Windows 10, version 1607

Windows 10, version 1703

Windows 10, version 1709

Windows 10, version 1803

Now that express update support for third-party update managers has been available for over a year, we plan to stop shipping delta updates. Beginning February 12, 2019 Microsoft will end its practice of creating delta updates for all versions of Windows 10. Express updates are much smaller in size, and simplifying the cumulative options available will reduce complexity for IT administrators.

There is no difference between SAC and LTSC for express support. They both support it.

The requirement for about 1607 to support express is for SCCM. If they connect directly to Windows update, or use WSUS they have been able to use express since the Vista timeframe. Are your customers using SCCM, or a 3rd party update manager (IBM Big Fix and others?). In those cases they also need newer versions of the update managers to support it.

Is the topic of this article the reason why CUs in 17763 "touch" so many files in System32 relative to any other version of Windows that I've used?

By "touch" I mean do nothing more than update the date/timestamp on them. To be sure, some of the files actually are updated (i.e. version number changes), of course, but some, often many, just get a new date (that of when you ran the CU) but are actually the same file as before, as proven by checking hashes before and after.

This never used to be the case. It used to be that only the files that were actually updated received new dates, and those dates were when the files were compiled days earlier, not when they were installed. I actually prefer that way. Is there a way to opt back in to that method and still use WU?

@Brian .: Perhaps there is a reason for it. Perhaps not. It's a trifle. The thing I personally care about is that instead of a 1.1 GB update, I've received only a 121 MB update. I find that bothering with trifles distracts one from focusing on what matters in life.

No, the change to support smaller updates isn't directly related to the system32 file updates you have seen. There is a feature in windows called Windows Defender Application Guard which uses a client container (WIM file), and to minimize size it links to files outside the container. For the links to work, it needs the exact same version of the file outside the container as the reference inside. So these files get updated date/time stamps to ensure they stay in sync with the files in the container.

Since we now use the small LCU technique, these date/time stamp changes have almost no impact on your overall download size fo the LCU. Back in the full LCU days you would have had to download the entire file even if it was only a date/time change.

It does bring up a natural question, though: why would the timestamping happen when WDAG isn't even enabled? It happens on any default installation of 1809 that I've tried, and WDAG is unchecked (and never installed previously) on any of them.

There is a single LCU for each architecture (x86, amd64, arm64) and it includes all the OS updates for every SKU and edition in that one file. When we build the LCU, we will have new versions of those system32 files you mentioned, and any device which has an older version of that file will install the newest. For example, if tcpip.sys gets updates (even if it's just a date/time stamp) then all devices will have that updated version of tcpip.sys on their device.

The case where you wouldn't have an updated file get installed is an optional feature and the file itself doesn't even exist on your system. For example, if you don't have the Spanish language enabled then the LCU won't install updated spanish language files on your device. Those files do exist in the LCU though, so if you enable Spanish at some point, it will re-apply the latest LCU and ensure you do have the latest Spanish language files.

Technically we could create different LCU's for every SKU and optional feature combination but that would be a huge pain for customers (especially enterprises) to manage and validate in their environments.

thank god your pos update was able to automatically remove the update vs crashing all computers. I wonder how many people lost their computers due to ms not testing the release before releasing this pos? I know, no one because you were smoking crack, butt crack that is. I have 14 other computers that I have never been able to bring back to life because of your releasing updates with viruses and untested updates. I have lost nearly $20,000 or have $20,000 in boat anchors now

Is there a specific KB # or update you are referring to that crashed your computers? Have you contacted support about the issue? (they are much better equiped to help support issues than I could via a blog post)

Has anyone experienced a problem with Microsoft Apps no longer launching after this update [(March 12, 2019—KB4489868 (OS Build 17134.648) ] ? This includes Microsoft Solitaire and the calculator. Non-Microsoft apps are not affected.

Last weekend I tried to update from 1803 to 1809. It appeared successful with no issues. But my PC started blue screening every 10 minutes with HYPERVISOR ERROR. Contacted tech support twice. First guy got a dump file then thought he fixed it, but didn't. The next guy just had to roll back the upgrade. No problems since then. 1809 is not ready for release!

This information doesn't help me as I have Version 1809 Build 17763.557, but want to install Build 17763.592. My laptop is already trying to offer me Version 1903 via Windows Update), which it isn't ready to install yet because I'm missing the latest update of 1809.

How about addressing vulnerabilities for CVE-2019-1181 and CVE-2019-1182 in Windows 10 1709 Pro, which is only 2 years old. We're being forced into upgrading our entire fleet >400 machines because there is no patch for this vulnerability! That is poor, poor form....

You're mistaken. Those updates dont install on Win10 1709 Pro, as I mentioned. I am not hijacking nothing. This blog post is related to updates, I am calling out Microsoft for not supporting Critical vulnerabilities.

For sure there are updates for these. "Reminder: Windows 10, version 1709, reached end of service on April 9, 2019 for devices running Windows 10 Home, Pro, Pro for Workstation, and IoT Core editions. These devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10."

Are you running Windows 10 pro by any chance? If so, you need to be on a supported version. And yes this is better served in a forum setting not here. Or sign up at www.patchmanagement.org and I can give you more details as why this is the way it is on Windows 10 and how to cope with feature updates.

Yes, a lot of our machines are running Windows 10 1709 Pro. I am simply stating that am OS version that is currently less than two years old is not receiving CRITICAL, vulnerability, security updates is extremely poor form from Microsoft. Given how unreliable updating Windows 10 has been to date, Microsoft should be supporting at least critical updates for OS's only 2 versions behind. Microsoft has had issues with every single release of Windows 10, it is no wonder why we are hesitant to upgrade.

I understand Microsoft is changing this method to be regular updates rather than upgrades which is great, but that is not how it is at present.